The Admin console has been updated. A new device setting allows admins to force devices to be re-enrolled to their Admin console, even after a device is wiped. At the startup screen after a wipe, user logins outside of the domain account and guest mode will be blocked. All devices with the policy enforced will force users to re-enroll to the Admin console until the admin deprovisions the device.

This feature is enabled by default and currently requires devices to be enrolled on version 35 of Chrome OS in order to work. In a future update, all devices that are on the latest version will be compatible with this new policy. Devices that are eligible for forced re-enrollment will no longer work with automatic enrollment, and the policy to enable automatic enrollment will be removed from the Admin console in the near future.

2 comments
:

"...and the policy to enable automatic enrollment will be removed from the Admin console in the near future."

WHY DO THIS? What possible benefit comes of this? I think there's going to be an awful lot of upset admins out there if you remove automatic enrollment. In our school, we're able to keep on top of the enrollment process MANUALLY. Large school districts, however, I know use auto-enrollment (and auto OU CB placement). I just don't see this as moving forward. Am I missing something here???

Does automatic re-enrollment eliminate these concerns that were brought up by a district.

....... By creating a USB Chrome OS Image you can wipe the device and set it back to factory. This can be done by going to chrome://imageburner on the chrome device or by downloading https://dl.google.com/dl/chromeos/recovery/chromeosimagecreatorV2.exe and creating it on a windows PC.

For our Samsung’s, hold ESC + Refresh + Power will force book the chrome book in recovery mode, which will force the device to seek the chrome OS Recovery from a USB. This effectively bypasses all security setting. The user then goes through the normal startup setting and logs in to their normal gmail account. This will keep the device from enrolling into management all together.

At this point the user can use the chrome book like they bought it, or to shutdown google from seeking the device install Ubuntu or any other Linux distro to the device, which means they would never have to connect to a google server.

I’ve tried this on two different chrome books, and both times bypassed this security."......